Security News, Articles and Updates

Processors should practice SafeSpec to overcome Spectre/Meltdown problems

Scientists have devised a way to defeat the Meltdown and Spectre security vulnerabilities caused by speculative execution in modern processors.

API security: A modern day gold rush?

The problem with a bolt-on approach to API security is that these API frameworks and toolkits are inherently insecure by definition and were never designed with security in mind, but rather designed for integration.

Flawed code-signing process could let malware appear as Apple-approved

Developers & vendors of numerous third-party security, forensics & incident response products for Mac computers have started issuing patches after researchers realised their software wasn't interacting with Apple's code-signing API.

Mozilla patches heap buffer overflow in Firefox browsers

The Mozilla Foundation Security has released an advisory to patch critical vulnerabilities in Firefox and Firefox ESR products which could allow a remote attacker to take control of an affected system.

Update: Subdomain flaw puts users at risk

Security researchers are reporting a phishing attack technique which hackers may be using in the wild, and could put websites at risk of attack.

A year on from WannaCry, a new kind of system is needed for security maintenance

Enterprise Agreements whereby vendors agree to sell a specified amount of software and hardware over a certain timeframe are evolving to offer more customer support and expanding to include security and software updates.

Trickbot and IcedID team up to boost revenues from victims

The botnet operators behind IcedID and Trickbot are collaborating with each other and possibly sharing their ill-gotten gains, according to security researchers.

Blockchain platform EOS found containing critical security vulnerabilities

Security researchers have uncovered several security vulnerabilities in blockchain platform EOS, some of which can be exploited by hackers to remotely execute arbitrary code on EOS nodes.

Iris scanners gaining ground on fingerprint readers as a security measure

The biometric side of the cyber-security equation is getting ready to put fingerprint readers in its rear-view mirror as newer technologies coming into the market prove more capable.

DTS bug bounty challenge yields 654 valid, unique vulnerabilities

Hackers filed more than 100 security vulnerability reports during the 29-day Hack the DTS (Defence Travel System) bug bounty initiative and amassed nearly US$ 80,000 (£60,183) for their efforts.

Can AI smarts replace humans in the Security Operations Centre?

Newly published research suggests 27 percent of enterprise security teams see more than 1 million alerts per day, and more than half of IT professionals admit they are struggling to identify critical incidents and false positives alike.

Flaw in Git could result in remote code execution

Vulnerability patched in Git source code versioning software. Security researchers have discovered a number of flaws in Git that could have enabled hackers to run remote code on a victim's PC.

Researchers find easily-exploitable vulnerabilities in BMW's in-car systems

Security researchers at Tencent's Keen Security Lab have revealed that Internet-connected systems in several BMW cars feature vulnerabilities that allow malicious actors to hack into such vehicles via a set of remote attack surfaces.

Satori botnet searching internet for open Ethereum mining rigs

Increasing value of cryptocurrency sees hackers look out for mining hardware. Security researchers have discovered a large Satori botnet that is scanning the internet for exposed Ethereum cryptocurrency mining rigs.

Why the answer to IT security woes isn't just hiring more talent

Hiring more talent does not mean better security. No amount of additional talent or resource will improve your security posture if you don't fix your underlying broken patching processes. Automation is the answer.

Adobe releases more updates following Patch Tuesday fixes

After patching a confusion flaw in Flash last week, Adobe today issued security updates for Adobe Acrobat and Reader for Windows and MacOS.

Critical PGP/GPG, S/MIME vulnerabilities require immediate action

A group of European security researchers readied the release of a paper for early 15 May detailing vulnerabilities in PGP/GPG and S/MIME email encryption that could reveal the plaintext of encrypted emails.

38 "games and educational apps" kicked out from Google Play Store

Security researchers recently discovered the presence of 38 malicious apps on the Google Play Store that were not only disguised as games and education apps but also redirected victims to install other apps from the Play Store.

Vulnerability in Electron could pose danger to Skype and Wordpress web apps

A security vulnerability has been discovered in a software framework used web apps that could enable hackers to execute remote code. The problem could affect many web apps that use the framework.

LG patches RCE bug in smartphone keyboards

LG on Monday released a security update fixing a high-severity remote code execution vulnerability found in the default keyboards of all its mainstream smartphone models.

NIS Directive comes into force to boost infrastructure cyber-security

The Security of Network Information Systems (NIS) Directive, which aims to ensure that critical infrastructure is protected from cyber-attacks and computer network failure, has come into force today with fines for non-compliance.

Hide and Seek IoT botnet re-emerges

Security researchers have discovered a new form of the Hide and Seek IoT malware. The latest version can now survive a reboot of the infected device.

Patch Tuesday: Microsoft mends RCE bug exploited by cyber-espionage group

Microsoft Corporation's Patch Tuesday security update yesterday fixed 67 bugs, including two that have been actively exploited in zero-day attacks, and another two whose details became public.

Flaws in Logitech's Harmony Hub devices allowed hackers to gain root access

Last year, Logitech announced that the security certificate of its Harmony Link IoT device, which allowed users to control their home cinema setup using a universal remote control, was to expire on 16 March 2018.

Fake Android AV app re-emerges

Armor for Android resurfaces as Android's Antivirus. A fake anti-virus app has re-emerged on Android devices, according to security researchers.

Zero-Day vulnerability found in two Schneider Electric ICS products

Tenable Security researchers have revealed a Zero Day flaw in two Schneider Electric industrial controllers that if exploited could give an attacker an attack the ability to remotely execute code with high privileges.

Millions of fibre broadband routers open to remote control by hackers

Critical vulnerability allows attackers to bypass authentication. Security researchers have found flaws in fibre-optic broadband routers that enable hackers to bypass security and takeover devices.

Despite increased cyber-risk awareness, poor password hygiene still rules

New research has revealed that even though people are now more aware of security best practices than in the past, their password management has remained largely unchanged.

PoC code can crash Windows systems, even when locked

Security researchers have found a flaw in Windows that could allow hackers to crash a system when they insert a USB stick with specially crafted code. The problem happens even when Windows is locked.

Amazon Echo made to eavesdrop without exploit or manipulation

Checkmarx security researchers developed a proof of concept attack that would allow and enable an Amazon Echo to continue recording a user long after a request is made.